Search

Subscribe

A Model Regime of Privacy Protection

Last year I blogged about an article by Daniel J. Solove and Chris Hoofnagle titled "A Model Regime of Privacy Protection."

The paper has been revised a few times based on comments -- some of them from readers of this blog and Crypto-Gram -- and the final version has been published.

Abstract:
A series of major security breaches at companies with sensitive personal information has sparked significant attention to the problems with privacy protection in the United States. Currently, the privacy protections in the United States are riddled with gaps and weak spots. Although most industrialized nations have comprehensive data protection laws, the United States has maintained a sectoral approach where certain industries are covered and others are not. In particular, emerging companies known as "commercial data brokers" have frequently slipped through the cracks of U.S. privacy law. In this article, the authors propose a Model Privacy Regime to address the problems in the privacy protection in the United States, with a particular focus on commercial data brokers. Since the United States is unlikely to shift radically from its sectoral approach to a comprehensive data protection regime, the Model Regime aims to patch up the holes in existing privacy regulation and improve and extend it. In other words, the goal of the Model Regime is to build upon the existing foundation of U.S. privacy law, not to propose an alternative foundation. The authors believe that the sectoral approach in the United States can be improved by applying the Fair Information Practices -- principles that require the entities that collect personal data to extend certain rights to data subjects. The Fair Information Practices are very general principles, and they are often spoken about in a rather abstract manner. In contrast, the Model Regime demonstrates specific ways that they can be incorporated into privacy regulation in the United States.

Comments

At a conference a couple of weeks ago, I asked Dan Solove how his proposal represents a way forward given the failings we already know of Fair Information Practice laws. The Fair Credit Reporting Act has existed for more than 30 years, for example, and credit reporting is rife with unfairness.

A model law is one thing, but what can actually be passed into law is quite another. My sense is that the FCRA protects credit bureaus more than consumers. Any new federal law will inevitably come with preemption of state laws that might address the issues better. Indeed, the reason they will pass, if they do, is because of those business-friendly provisions.

I have advocated for common law causes of action such as negligence (in the case of data breaches that permit identity fraud) and commercial defamation or interference with prospective economic advantage (in the case of bad data). Dan has made clear to me (and he's right) that I owe the world more thinking on this.

There is general agreement on using liability to get data aggregators and data holders to internalize the risks their activities create, but I encourage people to withhold judgment on whether that liability should come through prescriptive bureaucratic regulation, or something else, such as common law remedies.

As much as I'd like to see something like this put into place, I don't see much hope. I'd certainly support an effort to change the laws to be more like the suggestions made.

One aspect that I believe is consistently underrated how low the data brokers will go to protect their business. The companies selling cell phone records are a good example of the way these companies generally operate. Companies can cross country boundaries to obscure legal limitations on what can be done with the data.

The tactics used to collect data are underhanded in many cases, illegal in others. If you've ever filled out a mail in rebate or product registration card, that information is already in one of these companies' databases. In effect, you sold your own information without knowing it. I've seen an example where one of the big data brokers is using government data in a questionable manner(pretending to be the person to confirm their data in a particular database) to augment their databases. My wife gets a ton of junk mail to one misspelling of her name that was used once with one credit card company and obviously sold to numerous sources since.

a model regime of privacy protection will never happen as long as the businesses we're trying to regulate own the whores who make the law. as i've commented before, protection of your privacy begins with you, not your congressman. a really good day from your congressman would be if he were in a coma.

The government will insist that there be a completely secret means of accessing all of the data, with no possibility of an audit trail. Thus any scheme implemented must be designed to fail on demand, without leaving evidence behind. So all this is just wishful thinking.

I have tried the SSRN web site and get an error page for 'abstract not found' and then go to their search page and get many more errors. Can anyone validate this? I have tried to get a free user ID on the site and can't get that to work either - more Cold Fusion problems...

(Detailed error reporting too - hmmm...

An error occurred while evaluating the expression:

Session.AL_BMANAGEISSUES = "#AL_BMANAGEISSUES#"

Error near line 608, column 13.

Error resolving parameter AL_BMANAGEISSUES

ColdFusion was unable to determine the value of the parameter. This problem is very likely due to the fact that either:

1. You have misspelled the parameter name, or
2. You have not specified a QUERY attribute for a CFOUTPUT, CFMAIL, or CFTABLE tag.

The error occurred while processing an element with a general identifier of (CFSET), occupying document position (608:7) to (608:61).

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.

About Bruce Schneier

I am a public-interest technologist, working at the intersection of security, technology, and people. I've been writing about security issues on my blog since 2004, and in my monthly newsletter since 1998. I'm a Special Advisor to IBM Security, a fellow and lecturer at Harvard's Kennedy School, and a board member of EFF. This personal website expresses the opinions of none of those organizations.